lyft 

April 4, 2019 

Seleta Reynolds 
General Manager 

City of Los Angeles Department of Transportation 
100 S. Main St., 10th Floor 
Los Angeles, CA 90012 

RE: Protecting Our Customers' Privacy Under MDS (Agency-API) 

Dear Ms. Reynolds, 

As you know, our relationship with the City of Los Angeles was founded on partnership and a 
shared vision of the future of mobility. Over the past six years, we have worked together 
diligently to meet mutual goals. Now we are committed to working with the City to ensure that 
we provide you with the data you need to regulate micro-mobility services in a manner that 
does not unnecessarily impinge upon the privacy of our customers. Data privacy is a matter of 
great importance to our customers, and we are asking for your cooperation in addressing their 
and our concerns. 

Indeed, we appreciate your willingness to engage with Lyft on the development and 
implementation of MDS (Agency-API). While these exchanges have been ongoing, they have 
lacked transparency, adequate public and stakeholder input, and have been bound by 
arbitrary deadlines. We continue to have fundamental concerns with Agency-API, which are 
detailed below. To get this right, we request LADOT pause Agency-API implementation on 
April 15 until a thorough and transparent process can identify possible problems, address 
them, and improve the standard. 

In particular, we are concerned that: 

• Agency-API requires Lyft to provide our customers' highly granular origin and 
destination data in real time and their complete route data at the end of their trip via 
the Provider-API. 

• LADOT's Privacy Protection Principles and use of a third party to store data are 
insufficient safeguards to secure our customers' information from breach, abuse, and 
disclosure. 

• LADOT has provided no justification for requiring, collecting, and storing detailed 
records of every scooter trip. We strongly believe LADOT can effectively regulate micro¬ 
mobility providers without risking the privacy of our customers. 
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While LADOT has asserted that this information will be anonymized, privacy experts have 
warned the City that location data can still be connected to an individual who rides scooters 
between personal locations such as their residence, place of employment, medical facilities, 
political events, and places of worship. An MIT study titled "Unique in the Crowd: The privacy 
bounds of human mobility" found that two randomly chosen origin and destination pairs could 
be used to re-identity more than 50% of individuals. 1 This study finds that mobility traces are 
highly unique and can therefore be re-identified using little outside information. Similarly, 
additional incidents and studies show that "anonymized" data such as New York City taxi trip 
details 2 and Netflix viewing habits 3 could easily be reverse engineered to expose individual 
information to the public 4 . The data being demanded by LADOT is far more granular and 
expansive than the studies outlined above, posing significant re-identification risks. 

At a time when the public is increasingly concerned with data privacy and government 
collection of personal information, Agency-API will gather exact geolocation of individuals, 
store it, and use it for undefined purposes with few guardrails around how the data is shared 
with third parties and secured. Such a process violates the reasonable privacy expectations of 
our customers, and we owe it to them to take a strong position — especially considering the 
potential for MDS (Agency-API) to become the global standard. 

Problems with Agency-API 

In numerous conversations with LADOT, Lyft has raised specific concerns regarding Agency- 
API. 

1. LADOT would collect highly granular real-time and slightly delayed data that would allow 
the City to track the precise movements of our customers. Real-time tracking amounts to an 
enormous privacy invasion with numerous unintended consequences. 

• Agency-API requires operators to share live origin and destination data in real time, 
exposing consumers to disclosure risks. As Jeremy Gillula of the digital rights privacy 


1 Yves-Alexandre de Montjoye, Cesar A. Hidalgo, Michel Verleysen & Vincent D. Blondel, “Unique in the Crowd: The 
privacy bounds of human mobility,’’ Nature, March 25, 2013, https://www.nature.com/articles/srep01376. 

2 Jeroen van der Ham, “On Taxis and Rainbows: Anonymising is not easy,’’ Rathenau Institute, June 19, 2015, 
https://1sand0s.nl/2015/06/on-taxis-and-rainbows-anonymising-is-not-easy/. 

3 Arvind Narayanan & Vitaly Shmatikov, “Robust De-anonymization of Large Datasets (How to Break Anonymity of 
the Netflix Prize Dataset),” The University of Texas at Austin, February 5, 2008, https://arxiv.org/abs/cs/0610105. 

4 Paul Ohm, “Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization,” UCLA Law 
Review, 2010, https://www.uclalawreview.org/pdf/57-6-3.pdf. 
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organization Electronic Frontier Foundation has noted, "this data is incredibly, 
incredibly sensitive." 5 

• The Center for Democracy and Technology's (CDT) policy counsel Joseph Jerome has 
stated that "this sort of combination of private data in public hands is going to be a 
bigger and bigger issue, and when it's geolocation there are some particular 
questions." 6 CDT stated in a letter to LADOT that "location information is among the 
most sensitive data, especially when collected over extended periods of time. People's 
movements from place to place can reveal sexual partners, religious activities, and 
health information." 7 

• As the taxi and Netflix examples cited above demonstrate, there are numerous methods 
to take anonymized geolocation data and reveal sensitive information about how 
people move around cities. This underscores the need to think critically about the level 
of data collected as well as how it's secured, used, and accessed. 

• Many of the communities in Los Angeles that are the most underserved from a 
transportation perspective, and therefore more likely to use micro-mobility devices, are 
also the communities that are most likely to come into contact with law enforcement — 
raising significant concerns that Agency-API could become a surveillance tool for law 
enforcement. 

2. Agency-API does not follow the LADOT's own principle of Data Minimization outlined in its 
Privacy Protection Principles. 

• LADOT has not specifically and clearly committed to transparent use cases for the vast 
amounts of granular data collected through Agency-API. Compounding this issue is 
LADOT's reliance on a third party, Remix, to ingest and store data. 

• Shared Streets, a nonprofit organization that helps cities and companies share 
transportation data, has said that "none of the things they've [the City] outlined in terms 
of transportation planning, or enforcement, or oversight requires keeping a record of 
where everyone has traveled." 8 


5 Laura J. Nelson, “L.A. wants to track your scooter trips. Is it a dangerous precedent?,” Los Angeles Times, March 
15, 2019, https://www.latimes.com/local/lanow/la-me-ln-los-angeles-scooter-surveillance-privacy-20190315- 
story.html. 

6 Joseph Cox, “Scooter Companies Split on Giving Real-Time Location Data to Los Angeles,” Motherboard, March 
19, 2019, https://motherboard.vice.com/en_us/article/yw8j5x/scooter-companies-location-data-los-angeles-uber-lyft- 
bird-lime-permits. 

7 Natasha Duarte & Joseph Jerome, "RE: Privacy Considerations in Dockless Mobility Pilot Program," Center for 
Democracy & Technology, November 29, 2018, https://cdt.org/files/2018/11/CDT_LADOT_Dockless-Mobility- 
Comments.pdf. 

8 Jeremy B. White, “'This is creepy': In LA, scooters become the next data privacy fight,” Politico, March 6, 2019, 
https://www.politico.com/states/california/story/2019/03/01/this-is-creepy-in-la-scooters-become-the-next-data- 
privacy-fight-883121. 
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3. There are many unresolved questions and serious issues relating to LADOT's use of a third 
party, Remix, to ingest, store, and interpret data collected through Agency-API. 

• Remix has indicated it intends to reuse and sell data and insights gleaned from data 
collected through programs like this one. This violates the City's own principle of 
Access Limitation. 

• There is no legal agreement in place between LADOT and Remix that holds Remix 
accountable or holds them to any standards. This is incredibly concerning given the 
implementation deadline is looming. 

• It is unclear if the arrangement between LADOT and Remix is compliant with the 
California Consumer Privacy Act and the California Electronic Communications Privacy 
Act. 

4. Agency-API results in unprecedented government control over an individual's right to make 
purchasing decisions by locking out access to individual scooters until the government deems 
it is appropriate. 

• Agency-API allows LADOT to dynamically control Lyft's Service Area without notice. This 
requires customers to ask "permission" to start or end trips, as opposed to 
communicating constraints ahead of time, creating a poor experience. Customers will 
be able to see scooters on the map, only to find when they try to start a ride, they are 
unable to do so. 

5. The data sharing standard unveiled by LADOT may be particularly problematic if adopted 
outside Los Angeles. 

• Other cities that adopt Agency-API may have fewer safeguards in place to prevent 
misuse. For example, as a Sanctuary City, Los Angeles has committed to not sharing 
data with immigration officials, but other cities may not have these policies in place and 
data in those cities could be used to aid immigration enforcement. Privacy experts have 
pointed to the Immigration and Customs Enforcement Agency's use of Automatic 
License Plate Reader data as a way to target individuals for immigration enforcement. 9 

• Former Los Angeles Assemblyman Mike Gatto, the past Chairman of the Consumer 
Protection & Privacy Committee, noted that when government agencies create public 


9 Jazmine Ulloa, “ICE is tracking immigrants with the help of California sanctuary cities, court records show,’’ Los 
Angeles Times, March 13, 2019, https://www.latimes.com/politics/la-pol-ca-ice-license-plate-immigrants-20190313- 
story.html. 
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databases, "law enforcement has the ability to access it, and they will." 10 Law 
enforcement agencies have already engaged in that behavior. * 11 

• Data security requires expertise, continual monitoring, and investment. Other cities or 
third parties may not have the resources to be able to adequately secure and defend 
this data. 

• While Los Angeles will classify data collected through Agency-API as personally 
identifiable information (PII) and said it will not be subject to public records requests, 
laws in other jurisdictions may demand that this data be subject to public disclosure 
upon request. 

Outstanding Questions 

In our conversations with LADOT, Lyft raised many questions about the application of Agency- 

API, including: 

• What are LADOT's explicit use cases for this data and what is LADOT's commitment to 
using the data only for these purposes? Is LADOT collecting only the minimum amount 
of data necessary to achieve these goals? 

• Who will have access to data collected through Agency-API? What legal, technical, and 
organizational measures will be taken to protect customer information? 

• How will Remix be held accountable for securing and restricting use of data collected 
through Agency-API? Will they be restricted from reusing or selling data? 

• How will LADOT protect Agency-API data from being disclosed as a result of public 
records requests? 

• How is LADOT vetting their policies with privacy and security experts? What is being 
done to remedy any concerns or vulnerabilities? 

• Is Agency-API compliant with the California Consumer Privacy Act and the California 
Electronic Communications Privacy Act? 


Conclusion 


We are highly interested in collaborating on data-sharing policies that will aid the City in 
thoughtful regulation and infrastructure planning. Lyft is committed to working with cities to 
encourage the transformation of cities designed for people, not cars. We know we have a 


10 Jeremy B. White, “'This is creepy': In LA, scooters become the next data privacy fight,” Politico, March 6, 2019, 
https://www.politico.eom/states/california/story/2019/03/01/this-is-creepy-in-la-scooters-become-the-next-data- 
privacy-fight-883121. 

11 Thomas Peele, “Kensington: New records show more cops used confidential database to gather personal 
information on police board member,” San Jose Mercury, February 20, 2019, 

https://www.mercurynews.com/2019/02/20/kensington-new-records-show-cops-used-confidential-database-to-gather- 

personal-information-on-police-board-candidate/. 
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responsibility to assist cities in understanding how micro-mobility devices are being used in 
their communities. 

Last year, Lyft joined the National Association of Transportation Officials' SharedStreets 
initiative with the Open Transport Partnership and committed to sharing data with cities to 
understand patterns of Transportation Network Company demand and hotspots for 
pickup/drop-off activity. These data insights are already being used for transportation 
planning efforts such as helping cities identify locations to convert parking spaces to loading 
zones in support of Vision Zero safety goals. 

We had hoped LADOT would engage in a transparent and public discourse that included 
stakeholder engagement from privacy organizations and the broader public that resulted in a 
standard that collected enough data to serve its defined purpose while minimizing risk from 
overcollection. Unfortunately, this did not happen. 

Lyft remains hopeful that Agency-API can be improved. We request that the City considers 
the challenges detailed in this letter and the opportunities to work together to strengthen the 
data protocols. Due to the concerns raised by privacy experts, operators, and consumers, we 
ask that LADOT delay Agency-API implementation until a formal, inclusive process to 
improve the policy and prioritize customer privacy has been undertaken. 

To that end, we are more than willing to participate in an open forum on how to accomplish 
our shared goals without compromising privacy, and appreciate your attention to this matter. 


Sincerely, 


Caroline Samponaro 

Head of Bike, Scooter & Pedestrian Policy 


cc (by email): 

Mayor Eric Garcetti 

Members of the Los Angeles City Council 
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